dns: got a working letsencrypt setup
This commit is contained in:
parent
ef37392f07
commit
6119c9a88a
6 changed files with 145 additions and 111 deletions
|
@ -73,106 +73,124 @@ in {
|
|||
};
|
||||
|
||||
services.bind = {
|
||||
enable = true;
|
||||
enable = true;
|
||||
|
||||
ipv4Only = true;
|
||||
ipv4Only = true;
|
||||
|
||||
# need to take a look at https://nixos.org/manual/nixos/unstable/#module-security-acme-config-dns
|
||||
extraConfig = ''
|
||||
include "/run/agenix/dns_dnskeys";
|
||||
'';
|
||||
# need to take a look at https://nixos.org/manual/nixos/unstable/#module-security-acme-config-dns
|
||||
extraConfig = ''
|
||||
include "/run/agenix/dns_dnskeys";
|
||||
'';
|
||||
|
||||
# set the upstream dns servers
|
||||
# overrides the default dns servers
|
||||
forwarders = [
|
||||
# Cloudflare
|
||||
"1.1.1.1"
|
||||
# Google
|
||||
"8.8.8.8"
|
||||
# Quad9
|
||||
"9.9.9.9"
|
||||
];
|
||||
# set the upstream dns servers
|
||||
# overrides the default dns servers
|
||||
forwarders = [
|
||||
# Cloudflare
|
||||
"1.1.1.1"
|
||||
# Google
|
||||
"8.8.8.8"
|
||||
# Quad9
|
||||
"9.9.9.9"
|
||||
];
|
||||
|
||||
cacheNetworks = [
|
||||
# this server itself
|
||||
"127.0.0.0/24"
|
||||
# all of skynet can use this as a resolver
|
||||
"193.1.99.64/26"
|
||||
];
|
||||
cacheNetworks = [
|
||||
# this server itself
|
||||
"127.0.0.0/24"
|
||||
# all of skynet can use this as a resolver
|
||||
"193.1.99.64/26"
|
||||
];
|
||||
|
||||
zones = {
|
||||
/*
|
||||
put any other zones above skynet and link to their files like so:
|
||||
zones = {
|
||||
/*
|
||||
put any other zones above skynet and link to their files like so:
|
||||
|
||||
example.ie = {
|
||||
extraConfig = "";
|
||||
file = ./dns/example;
|
||||
master = true;
|
||||
masters = [];
|
||||
slaves = [ ];
|
||||
};
|
||||
|
||||
Skynet is handled a bit more dynamically since it is the key one we should focus on
|
||||
*/
|
||||
|
||||
"skynet.ie" = {
|
||||
extraConfig = "allow-update { key rfc2136key.skynet.ie.; };";
|
||||
# really wish teh nixos config didnt use master/slave
|
||||
example.ie = {
|
||||
extraConfig = "";
|
||||
file = ./dns/example;
|
||||
master = true;
|
||||
masters = [];
|
||||
slaves = [ ];
|
||||
# need to write this to a file
|
||||
file = pkgs.writeText "dns_zone_skynet"
|
||||
# no leading whitespace for first line
|
||||
''
|
||||
$TTL 60 ; 1 minute
|
||||
; hostmaster@skynet.ie is an email address that recieves stuff related to dns
|
||||
@ IN SOA ${cfg.own.nameserver}.skynet.ie. hostmaster.skynet.ie. (
|
||||
2023011701 ; Serial (YYYYMMDDCC)
|
||||
600 ; Refresh (10 minutes)
|
||||
300 ; Retry (5 minutes)
|
||||
2419200 ; Expire (4 weeks)
|
||||
3600 ; Minimum (1 hour)
|
||||
)
|
||||
NS ns1.skynet.ie.
|
||||
NS ns2.skynet.ie.
|
||||
; @ stands for teh root domain so teh A record below is where skynet.ie points to
|
||||
A 193.1.99.76
|
||||
MX 5 mail.skynet.ie.
|
||||
|
||||
; can have multiple mailserves
|
||||
;MX 20 mail2.skynet.ie.
|
||||
|
||||
|
||||
; ------------------------------------------
|
||||
; Server Names
|
||||
; ------------------------------------------
|
||||
|
||||
; External addresses
|
||||
; ------------------------------------------
|
||||
${lib.strings.concatMapStrings (x: x + "\n") cfg.records.external}
|
||||
|
||||
|
||||
; this is fixed for now
|
||||
wintermute A 193.1.101.148
|
||||
|
||||
|
||||
; internal addresses
|
||||
; ------------------------------------------
|
||||
; May come back to this idea in teh future
|
||||
; agentjones.int A 172.20.20.1
|
||||
|
||||
|
||||
; cname's
|
||||
; ------------------------------------------
|
||||
${lib.strings.concatMapStrings (x: x + "\n") cfg.records.cname}
|
||||
|
||||
'';
|
||||
};
|
||||
|
||||
Skynet is handled a bit more dynamically since it is the key one we should focus on
|
||||
*/
|
||||
|
||||
"skynet.ie" = {
|
||||
extraConfig = "allow-update { key rfc2136key.skynet.ie.; };";
|
||||
# really wish teh nixos config didnt use master/slave
|
||||
master = true;
|
||||
slaves = [ ];
|
||||
# need to write this to a file
|
||||
file = "/etc/dns_custom/dns_zone_skynet";
|
||||
# no leading whitespace for first line
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
# creates a folder in /etc for the dns to use
|
||||
users.users.named = {
|
||||
createHome = true;
|
||||
home = "/etc/dns_custom";
|
||||
};
|
||||
|
||||
environment.etc = {
|
||||
# Creates /etc/dns_custom/dns_zone_skynet
|
||||
|
||||
"dns_custom/dns_zone_skynet" = {
|
||||
user = "named";
|
||||
group = "named";
|
||||
|
||||
# The UNIX file mode bits
|
||||
mode = "0644";
|
||||
|
||||
|
||||
text =
|
||||
''
|
||||
$TTL 60 ; 1 minute
|
||||
; hostmaster@skynet.ie is an email address that recieves stuff related to dns
|
||||
@ IN SOA ${cfg.own.nameserver}.skynet.ie. hostmaster.skynet.ie. (
|
||||
2023011701 ; Serial (YYYYMMDDCC)
|
||||
600 ; Refresh (10 minutes)
|
||||
300 ; Retry (5 minutes)
|
||||
2419200 ; Expire (4 weeks)
|
||||
3600 ; Minimum (1 hour)
|
||||
)
|
||||
NS ns1.skynet.ie.
|
||||
NS ns2.skynet.ie.
|
||||
; @ stands for teh root domain so teh A record below is where skynet.ie points to
|
||||
A 193.1.99.76
|
||||
MX 5 mail.skynet.ie.
|
||||
|
||||
; can have multiple mailserves
|
||||
;MX 20 mail2.skynet.ie.
|
||||
|
||||
|
||||
; ------------------------------------------
|
||||
; Server Names
|
||||
; ------------------------------------------
|
||||
|
||||
; External addresses
|
||||
; ------------------------------------------
|
||||
${lib.strings.concatMapStrings (x: x + "\n") cfg.records.external}
|
||||
|
||||
|
||||
; this is fixed for now
|
||||
wintermute A 193.1.101.148
|
||||
|
||||
|
||||
; internal addresses
|
||||
; ------------------------------------------
|
||||
; May come back to this idea in teh future
|
||||
; agentjones.int A 172.20.20.1
|
||||
|
||||
|
||||
; cname's
|
||||
; ------------------------------------------
|
||||
${lib.strings.concatMapStrings (x: x + "\n") cfg.records.cname}
|
||||
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -35,16 +35,16 @@
|
|||
# cannot use our own it seems?
|
||||
nameservers = [
|
||||
# ns2
|
||||
#"193.1.99.109"
|
||||
"193.1.99.109"
|
||||
# ns1
|
||||
#"193.1.99.120"
|
||||
"193.1.99.120"
|
||||
|
||||
# Cloudflare
|
||||
"1.1.1.1"
|
||||
#"1.1.1.1"
|
||||
# Google
|
||||
"8.8.8.8"
|
||||
#"8.8.8.8"
|
||||
# Quad9
|
||||
"9.9.9.9"
|
||||
#"9.9.9.9"
|
||||
];
|
||||
};
|
||||
|
||||
|
|
Binary file not shown.
|
@ -1,19 +1,31 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 V1pwNA 2ktkYzbOCI8Sedb7cFXrmOL7HqPmMFSmavTgJ/kXVyA
|
||||
3kcv57UNk7Hryd8RckwYzuzN7eY6Lle4+DdG+QC86Hk
|
||||
-> ssh-ed25519 rIwlvw MoH0rHRt6ZL/3Ew1O7zHN9pz5CSA6YxbJ840gx0jCGY
|
||||
AO7z51p5PlbAYUZgmk/joTdGeK4SxlCc+VgMcOrxkP0
|
||||
-> ssh-ed25519 bPfq4g zu5ZfmzDiMBSn0UUpyO9iFieE7b+MMbuk4X5ABSUwhg
|
||||
HKNFCsxNqEK94tEnYz5+cVypheP5Cf+5tYRft3rCucY
|
||||
-> ssh-ed25519 P1ilJQ pnX29lb1zHoXzv4S6+D4VtLPJEsrnkyhfNjsaNwkJmw
|
||||
hXc9XLxtvyzUJNdhPi40bMFzdpuUKOHkpZ3gWMfjWwk
|
||||
-> ssh-ed25519 XSrA6w +h7/dC7DYOcRK1nxTDvdsgDEM43bBChM6vJ4PuL45ww
|
||||
n0mVPplmTM3A76iF27Wt62RDJ4yeoZa51q6bRhPEcXA
|
||||
-> ssh-ed25519 pBdJmw b/oJKbk8mXkUsd0oRuzrAQHTsiZdE8cW5bDC3dM3Vn8
|
||||
6L+Zry15OyCXKOE71iqihTFVc2WB2Y7X7ZuFZSWXFSw
|
||||
-> ssh-ed25519 v2Y09A DBZDXfWnm/3d83xG4a7XnMDAU+WYR2l4UDOjWAwlVxA
|
||||
4wE9Ss/D2Mmq4WddUsoa79S3db4Z6vpDs9zQR+zLROw
|
||||
-> R9;-grease
|
||||
C4FHCe8aUuP55YV6ZnrphOE
|
||||
--- /fL2KiOXipdwzKNjkkfwON+3h9JGa+M8wod12lkJ37A
|
||||
tæwkGï°h€<EFBFBD>mhg?:LïŠXJÍîá‚^NN0O|a|<7C>ˆ3Æ|8E"%™3Z~žuÕ†—brÚˆA. ú)ñqëò,\ñ62ÕÆؼa`/<1'—rÝËÂÖIV3ÌñP _…éìID)RÝ”cVÌc–)BüG<C3BC>ƦO±<4F>²Õ¬;¦RÕö×Ù#4(Å-e£¯DÔ
|
||||
-> ssh-ed25519 V1pwNA sW0/BN/WfF+8VshBdG/RcuJNUJFoRiV207qXHJ+nEQU
|
||||
3xBHqOiK1MXQpfefvXpsUCAtB8SmpPYQxgWnKLY4/Mo
|
||||
-> ssh-ed25519 rIwlvw 5N++1xasQ3ngJK8rWcnV1febLgOxdQxzj2FdwLeuvm0
|
||||
Ync9n2pX/MPHi6fKcBw/rir/KUOBDRZapaxxsu+XQyI
|
||||
-> ssh-ed25519 bPfq4g GM5ZOInllLXKdpyIREUMWU0QToOgJe7TNWVoMXbYHTk
|
||||
EfTBSko70+g28s21kPAWixZmkgbwfmTzosmP11q5Kh0
|
||||
-> ssh-ed25519 P1ilJQ 6NcCV8qZcm4zCPAixGhazZvwh2bQxqHsz0p3XuS54z0
|
||||
wUPo7zXREnpUkS8mRTU3tM3WR9QuYiC48Rlzl7CyPdk
|
||||
-> ssh-ed25519 XSrA6w XV0e5v8rRSuTgsFPNjQOcaQnAJJ4JOCViTsiK7ClFUI
|
||||
BgY93FYHCAE2BmcNm8SRYKRqMoXc3IshLxkNlJVGxrU
|
||||
-> ssh-ed25519 pBdJmw /ppt+XqNCOj3ToS59AbT40lliyPi5aYdgsb+nOd70Cc
|
||||
pXQqbfdC00/ITW9zblgGS+SCaM84BcWRrVr12Gkaqqk
|
||||
-> ssh-ed25519 v2Y09A 25QeUKlLkjSOKFIBUHi8I0yQFtjJ10eMd5skrgB4wh4
|
||||
87j2b0Lvx+Qow8ggjVmkqDTc9par1RUAfmPxB9hL810
|
||||
-> ssh-rsa l6p0xw
|
||||
aXJe3/ZW4d1wW58cGO43c1c7VqUid6LQNudUXZQF7hDGwWp66zUeTtJS8iK1uVRr
|
||||
fBEd9MfCQXZ6e4mmeEsFDYhhsrihjFNqjv/V229VRfvlh6PFjyFsi8kOZmN0IyPC
|
||||
rffk42oS9cVuG1JT/98kE56vUdJ098E+D7W5vHD6lVayp97DpncQRNqXyTWMdYB+
|
||||
75aHyUnI3JXmhftwPmQXthwKqYm/z5Q1yHtUWqo3VZ/UIN2fWD17XOxIVVdksSh6
|
||||
WdhJ7B+KYP1oXHZKeTGMpmPP7FYrgybbFlNl2Bg3+hc2g+Pav63ovnokr4hzmxf9
|
||||
+Vy0/gwE5tLKYXhSgCsfYLoYLcjh2LtdyWttG7z12TjKFtoxS1wfO71PBmQAWwV6
|
||||
MAaOfZdCbxZ6xpcJuvONmuvXaxzOxbZ5bgtrd2msEf2L3xlDDAPzUB786kvTLjjh
|
||||
SkQFZvX8SWQBB4u7GKu7jwUYl8zcBfczVvQQ0APL/UUdIyYEClhbJO1MKJHgFAGN
|
||||
mnuU0GQguxllgsT6+lNyKT9yP9W7wP92Bh+FzfRBH39Rq+FTb+VSQ5aOdoxtmbdQ
|
||||
G99WJKDW0v3JXnveUeNGLXe0p0kH5qBdsZmRGcXmu1Wqwa5iIZKC80HEzztYFngc
|
||||
n9dxirg30yQYoGUdASEQUDA55ZWb4hsrY7O1bz/fJ/g
|
||||
-> B21^W'i:-grease X\JYH |@t jh9o
|
||||
t4jio4eAlhMaiiGmy7ZKe7feRi36XQpUMkHAWyF42EMDbwzRcNVcvophXSQ
|
||||
--- mvcfX2P6vxluKGbahXGgsl0bnjzgZF7Gd1HNEDnPh0o
|
||||
ç”×<EFBFBD>³í’K˜/Z7ÀA’´0+ÕF)Vço›Ãe(ÉOñ’þ}ç¸cùu([(àm6rB‹y“ÃÛX1=³ð-œî˜”<>_8Ò&âå»ü˔ۊçwÓ?Y,I9
€=8FÌ‘]oaÀWó<0F>íXG;2ó<32>jÃìem.Høƒ†Þ<0C>Š?ÿ"mÒKF9¢Š èX¹‰R
|
|
@ -16,6 +16,9 @@ let
|
|||
|
||||
galatea = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3Mke5YtaMkLvXJxJ3y7YAIEBesoJk3qJyJsnoLUWgW root@galatea";
|
||||
|
||||
# for testing configs at home
|
||||
silver_homelab = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCG1JzosOwS7oKjgm0+FlqMKrUbu+M5403un+VA7LwiGRQnneawuq6aqQsIoDqAlb9AzUdLTeBQb+rBf94kx7yVGdEIz1i34WdMK3kgl176jnDIR4TWeNKdj8Q6+4d7tn5mZrqmpXZ/+1KSauV9JHxytR+7A4NVexkhGX1Mq3efGBYsCKzUQh83lHs2baWUYuxaPCCR6vy6uklzQRQfg+NsxCCUKkbgJwv1ar5U1ccr4N89EWiR2Yu4XsPzXr0JJUQcUy587l+G7QYVoCwVgUKHevCRqtRlmnI6JrzWctQJPpAmWF4EF66QnWccdXUS+aVc0IKP0ORqmz8Nps4NWWVPjRRxeshl2XfFawWxGlgT4WJ0+qv/EDVPZQvNBrjFvY5QBAaU08Nnkg6QzehlwD4/zQQMFiDjMb7sUuhXdq0vOK235QMhS4jtX7Sm2ki6mJdXrlErq9dIaqcoYuw9EtfajaM/NnGYIy97JUOrfztQTAwiuPgrc4DijpdR0QtvYK7NvefiJYcW+osmcv+FYM03kMXK9uGtM6KI44i27ZdsUFWTIHeiR1yBGUfP1ObFLLaNx5E42jSA77RLF8BSUaPbGgRv3OciACNftIKhAJrV4AZGvBbaUvAlzC8CryFAcRDgQwIVlXBJzChc7Rh9/V8I5342Tq7xMmzBQ2WcQdqZ9Q== root@galatea";
|
||||
|
||||
|
||||
systems = [
|
||||
agentjones
|
||||
|
@ -23,12 +26,13 @@ let
|
|||
galatea
|
||||
vendetta
|
||||
vigil
|
||||
|
||||
silver_homelab
|
||||
];
|
||||
in
|
||||
{
|
||||
# nix run github:ryantm/agenix -- -e secret1.age
|
||||
|
||||
"wireguard.age".publicKeys = users ++ systems;
|
||||
"dns_certs.secret.age".publicKeys = users ++ systems;
|
||||
"dns_dnskeys.conf.age".publicKeys = users ++ systems;
|
||||
|
||||
|
|
Binary file not shown.
Loading…
Reference in a new issue